Re: Unauthorized account listing from a remote system

From: chris@nospam.com
Date: 11/05/02 

From: chris@nospam.com
Date: Mon, 04 Nov 2002 19:07:33 -0800

On Mon, 4 Nov 2002 16:17:40 -0000, "WB IT" <abuse@127.0.0.1> wrote:

>"Paul Haltenberg" <haltenberg@yahoo.com> wrote in message
>news:c689f975.0211040344.4a31e7f6@posting.google.com...
>> My security logs on Windows NT 4.0 SP6a servers show hundreds of 529
>> and 539 events for last night. Looks like someone outside my LAN
>> attempted to login with the credentials of every user in my domain
>> thus locking out user accounts. First of, I wonder how could this be
>> possible that someone obtained user list for my domain? Second, how
>> could someone attempt to login from a non-domain-member computer?
>> Third, how do I figure out who it was (even log shows workstation name
>> \\ATHLON2000XP, but I don't have such workstation in my domain)?
>> Fourth, how do I prevent this in the future?
>>
>> Any advice/comment would be greatly appreciated!
>> ---
>
>Net use \\yourserver\IPC$ "" /user: "" (null session)
>
>Enum -U -M -S -P -G -L -d yourserver > enum.txt
>
>Nat -o output.txt -u adminname.txt -p hugedictionaryfile.txt yourserver
>
>b00m busted in and got your ***.
>
>Maybe they just skipped straight to NAT and enumerated your server.
>
>Who knows.
>
>I suggest you check out RestrictAnonymous=1/2.

Even better BLOCK PORTS THE NETBIOS ports. Only the very clueless and
naive expose MS networking to the internet. I bet you run Microsoft
IIS too.